[TUHS] Who's behind the UNIX filesystem permission implementation

Arthur Krewat krewat at kilonet.net
Thu Aug 1 06:16:25 AEST 2019


Sorry to reply to myself, but I wanted to add one note to this, and 
didn't, which pertains to the "rename" versus "update" part of file 
protections in TOPS-10, and perhaps was a bug that was never fixed, or 
it was, and I didn't know it.

In TOPS-10, you use the monitor call ENTER to update (write to) an 
existing file. It uses a common argument list with LOOKUP and I think a 
few other calls, that include the file name and extension. If a file had 
a 4 protection code for you, you could LOOKUP the file, then ENTER it 
with a different filename, and the filename would change, effectively 
renaming the file which you would think required a 1 protection code. 
You could also, if I recall correctly, specify a different protection.

The significance of this? Many installations put files in SYS: ([1,4]) 
that had a 4 protection code so they could be written to by various 
applications users ran, or it was an oversight by a system 
administrator. Using DDT, one could easily whip up a short piece of code 
to rename any file in SYS: that had a 4 protection code, rename it to a 
.SAV or .SHR (if it needed a highseg) and basically "hide" behind 
another program, such as LOGIN.EXE (When EXE was introduced, I think in 
version 6, TOPS-10 still supported .SAV, .SHR, and .HGH but would 
attempt to run the .EXE first if you didn't specify an extension).

Certain programs in SYS: like LOGIN had JACCT privileges - full rights 
to everything, including device I/O. So, find a writable file in SYS:, 
rename it to LOGIN.SAV, copy PIP over it, or something you cobbled up 
yourself, and take over the system without causing any other issues 
except that missing writable file.

JACCT priv was much like "setuid" in UNIX - except it was a hardcoded 
list of filenames in the monitor (I think mostly or exclusively in SYS:) 
that would get carte blanche access to everything. I believe by version 
7, some programs had been deprecated out of SYS, but they still existed 
in the JACCT list in the monitor.

And boy, there were a lot of systems out there on Telenet or the ARPANET 
that had files in SYS: protected with a 4. Side note: Telenet was BBN's 
attempt to create a private sector ARPANET. 
https://en.wikipedia.org/wiki/Telenet - A late night dumpster dive at 
Radio Shack in the very early 80's got me a local dialin number.

Sorry for the lengthy dissertation :)

On 7/31/2019 1:29 PM, Arthur Krewat wrote:
> TOPS-10 had a 3 octal digit file protection code:
>
> <xxx> - <Owner, Project, Everyone else> - Logins are PPNs - [Project, 
> Programmer] - So if I was [76,5], another user with [76,10] was in the 
> same project. Much like UNIX groups.
>
> Owner Protection Codes
> 7*, 6* - You can execute, read, or change the protection code of the 
> file.
> 5* - You have unlimited access to the file, except for renaming it.
> 4* - You have unlimited access to the file.
> 3 - You can execute, read, or change the protection code of the file.
> 2 - You have unlimited access to the file, except for renaming it.
> 1, 0 - You have unlimited access.
> * The File Daemon is called on a protection failure on this file (my 
> memory is a little fuzzy on this, but I believe it allowed finer 
> grained protections).
>
> Protection Codes for Fields 2 and 3
> 7 - The user cannot access the file.
> 6 - The user can only execute the file.
> 5 - The user can execute or read the file.
> 4 - The user can execute, read, or append to the file.
> 3 - The user can execute, read, append to, or update the file.
> 2 - The user can execute, read, append to, update, and write to the file.
> 1 - The user can execute, read, append to, update, write to, and 
> rename the file.
> 0 - Unlimited access, including changing the protection code of the file.
>
> The name TOPS-10 was first used in 1970, but the monitor itself dates 
> back to 1964. I'm not sure when these protection codes came into 
> being, though.
>



More information about the TUHS mailing list